Microsoft will release 17 bulletins next week to fix 64 security vulnerabilities in Windows, Office, Internet Explorer, Visual Studio and .NET Framework.
massive April Patch Tuesday will tie the record for the most security bulletins
released at one time. It is a dramatic contrast to last month's skimpy Patch
Tuesday release, which only contained three security bulletins.
April 12, Microsoft plans to release 17 security bulletins, including nine that
are rated "Critical" and eight rated "Important." Fifteen
of the bulletins address vulnerabilities that allow attackers to remotely
totaled, the bulletins will address a stunning 64 vulnerabilities spanning
Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET
Framework and the Graphics Device Interface (GDI+).
last time Microsoft included this many bulletins in one update was in December,
according to Jason Miller, a data team manager with Shavlik
Technologies. Microsoft will set another record with the number of
vulnerabilities patched in one release. The previous Microsoft record was 49
vulnerabilities fixed for October's Patch Tuesday, according to Miller.
released April 7 did not include any specific details
about the individual patches, Microsoft said some of the fixes will address the
Windows MHTML vulnerability and the Server Message Block Browser bug in Windows
reported last January (Security
), the MHTML
allows attackers to run scripts in the wrong security context on
Windows XP, Vista, Windows 7 and all supported Windows Server releases. An
attacker could exploit the vulnerability to inject a client-side script in a
Website the user is viewing in Internet Explorer. Once executed, the script
could collect user information and spoof content. Attackers have exploited the
vulnerability in "limited, targeted attacks" using the public
proof-of-concept code, according to Microsoft.
Message Block Browser bug in Windows XP
, which could trigger a blue screen
in kernel mode, was publicly disclosed on Feb. 15. French security firm Vupen
rated the flaw as "Critical" and warned that the exploit could cause
a denial-of-service attack or completely take over the compromised system.
RCE [remote code execution] is theoretically possible, we feel it is not likely
in practice. DoS [denial of service] is much more likely," Microsoft
Security Research Center Engineering's Mark Wodrich
said on Feb. 17.
is a huge update and system administrators should plan for deployment,"
Wolfgang Kandek, CTO of Qualys, wrote on The Laws of Vulnerabilities blog.
operating systems include Windows XP, Windows XP Professional x64 Edition,
Windows Server 2003, Windows Server 2003 x64 Edition, Windows Vista (32-bit and
64-bit), Windows Server 2008 and Windows 7.
are updates for Internet Explorer 6 through 8. Despite Microsoft's attempts to
sunset IE6, it appears IE6 bugs in Windows XP and Windows Server 2003 have been
patches cover commonly used Office applications, including Microsoft Excel 2002
through 2010, Microsoft PowerPoint 2002 through 2010, and Microsoft Office 2004
for Mac through 2011.
included applications are Open XML File Format Converter, Microsoft Visual
Studio .NET 2003 Service Pack 1 through Visual Studio 2010, Microsoft Visual
C++ 2005 through 2010, Microsoft Excel Viewer Service, Microsoft PowerPoint
views 2007, Microsoft Office Compatibility Pack, and Microsoft PowerPoint Web